5. Coming soon:
a view from the ICO
National Volunteering Forum – 15 May 2018
Richard Sisson, Senior Policy Officer,
Policy & Engagement (Private & Third Sector)
7. Key points about GDPR
Evolution
Not
Revolution
Focus on
transparency
and control
Accountability
Individual’s rights
8. !?
Complying with the GDPR….
• Complete compliance the aim
• 25 May is not an end date to compliance
• ICO remains a pragmatic organisation
• However, no grace period
• Follow accountability principle
• Know your lawful basis and be able to justify it
• Be as transparent as you can
Ten days to go:
9. Fining powers
€20 million or 4% turnover, but:
• ICO wants to promote good practice
• Not going to be issuing fines to punish
organisations
• No guarantees not to fine but look at
mitigation
• Accountability practices
ICO can issue greater fines but this is not our goal.
10. How to work with the ICO
+ Charity sector page
ICO guidance ICO liaises
with member
bodies on
issues
ICO expanding
– new teams
and processes
12. Fundraising and direct marketing
Confusion over use of legitimate interests (LI) and consent
If marketing caught by PECR then you will need consent
- except in certain circumstances
LI can be used for marketing not caught by PECR
- but must do a LI assessment
- and, need for transparency
13. Issues for the sector 1:
What do volunteers need to do about personal data
-Will depend on how the volunteer is undertaking their role
-If they are not processing personal data as part of their role then it is still useful
for them to know about the legal obligations regarding personal data
-may be useful to know about what the organisation does with personal data for
purposes of transparency
14. Issues for the sector 2:
Where volunteers do process personal data, they must:
- know the purpose they need the individual’s data
- know their lawful basis
- be transparent
- only collect the personal data that they need to
- have appropriate security in place
Organisation should decide whether individuals need to be processing the data
independently or whether the organisation should process the personal data
32. Do it with data
GDPR
Damien Austin-Walker
doit.life
Sharing & consent in volunteer brokerage
34. Pillars of GDPR
● Transparency - the right to be informed
● Access - the right to access and verify data is processed legally
● Rectification - the right to rectify incorrect or incomplete data
● Erasure - the right to be informed
● Portability - the right to obtain and reuse your personal data
● Objection - the right to object to marketing & profiling
40. When you register your interest in a job or
volunteering opportunity, we will forward your
details to the recruiter. If the opportunity is
advertised through a broker, such as a Volunteer
Centre or recruitment agency, your details will be
available to both the broker and the organisation
providing the opportunity in order to take your
application forward.
What is Do it doing?
48. Rise of digital identity
Data can be cryptographically protected so only
the individual can grant access on
a case by case basis.
Additionally it can be decentralised
- either stored across users’
personal devices, or across the
internet on a blockchain.
56. A different approach
‘Protecting and Respecting
Personal Data’
– creates engagement and a desire to
comply with the regulations
– positive response to this approach
58. Starting the conversation…
Self Assessment
• Each Branch/Group (B&G) member with data responsibilities
asked to complete with support from Regional Volunteer
Development Co-Ordinator
• Almost 60% returned – used to inform training
• Started B&G looking at their practices ahead of learning sessions
59. Learning Sessions…
‘What do I need to know?’
• National delivery of face-to-face learning
sessions focused on ‘what do I need to know’ -
not weighed down in technical information
• Using real life examples and scenarios
• Able to respond to
questions and concerns
immediately
61. Challenges…
• National reach of volunteers – 79 active B&G
• Creating opportunities for volunteers to attend
learning sessions
• Pitching the learning sessions at the right level
• The complexities of applying GDPR
• Managing varying attitudes to new regulations
62. What’s Next…
• More learning events
• Volunteer team able to deliver further sessions
with learning resources
• Webinars for those unable to attend
• Review of B&G practice on-going
64. Privacy Statements (Squaring the Circle)
Managing Multiple
Relationships (Who are you to them?)
Gary Shipsey | Managing Director
14th May 2018
15 May 2018
66. 15 May 2018
“We won’t share your details with other
charities for marketing purposes. If that’s
not OK, please tick the box.”
67. 15 May 2018
“…ought to reasonably have known that data subjects
would be unlikely to infer from those terms that their
person data would be processed for the purposes of
wealth screening”
para 40 BHF / para 47 RSPCA
68. 15 May 2018
…user-centric rather than legalistic
The practical (information) requirements are outlined in
Art. 12 - 14
However, the quality, accessibility and comprehensibility of
the information is as important as the actual content of the
transparency information…”
Article 29 Working Party Guidelines on transparency
69. 15 May 2018
‘Privacy notice’ to describe all the privacy information
you need to make available to people. It must:
• Be more detailed and specific
• Make notices understandable and accessible
• Be audience specific
• Use house-style language still discretion for [you] to
consider where the information…
should be displayed in different
layers of a notice.
70. 15 May 2018
Means of
providing privacy
information
3. engagement with stakeholders in developing and testing your privacy info.;
4. your approach to obtaining consent (where applicable)
5. your approach to collecting personal data via Applications (if applicable);
6. the different ways personal data is collected from each Data Subject Category
7. what potential methods, means and formats you have at your disposal to
deliver the privacy information, and
8. an approach to providing privacy info. throughout the period of processing
1. the language and general accessibility
considerations;
2. how you will approach vulnerable data
subjects (if applicable);
71. 15 May 2018
Means of
providing general
privacy
information
Define how you will provide access to the
privacy information that every Data Subject
should be able to access
- Data Controller
- DPO / DP Lead
- Individual’s rights
- ICO
72. 15 May 2018
Baseline of specific
privacy information
(per Data Subject Category)
Define a "baseline" of specific privacy
information for each Data Subject
Category.
Much of the detail should come from
your Record of Processing Activities
(ROPA).
Maintain a Master Log of “baseline”
privacy information in your Privacy
Information Strategy.
Data Subject Categories
A. Employees
B. Contractors
C. Councillors
D. Applicants
E. Service users
73. 15 May 2018
Means of
providing general
privacy
information
Means of
providing privacy
information
Baseline of specific
privacy information
(per Data Subject Category)
Privacy Information Assessments
Undertaken to define how privacy
information will be provided, in three
situations:
A. Collected directly from an individual -
e.g. via a form; verbally; in person.
B. Come into the organisation from
another source - e.g. a referral from
another organisation; a public source.
C. When existing personal data is to be
used for a new purpose
74. 15 May 2018
The request for consent shall be presented in a manner
which is:
Clearly distinguishable from
other matters
In an intelligible and easily
accessible form
Using clear and plain
language
75. Consent
15 May 2018
Any freely given,
specific,
informed and
unambiguous indication of [their] wishes…
[either] by a statement or by a clear affirmative action
76. 15 May 2018
not…freely given, if it does not allow separate consent to be given to
different personal data processing operations despite it being appropriate
When the processing has multiple purposes,
consent should be given for all of them.
Specific and informed
…you should provide a separate opt-in for
each…unless you are confident it is
appropriate to bundle them together.
If you want consent for
various different purposes or
types of processing…
People should not be forced
to agree to all or nothing…
…they may want to consent to some
things but not to others.
77. 15 May 2018
Direct
Marketing
“…communication (by whatever means)
…of any advertising or marketing material
…which is directed to particular individuals”.
“All promotional material….including material
promoting the aims [and ideals] of not-for-profit
organisations…
…the direct marketing rules…will apply to the promotional,
campaigning and fundraising activities of [charities / NfPs].
…any messages which include some marketing
elements, even if that is not their main purpose.
79. 15 May 2018
Screen Vs:
previous
objections + TPS
Legitimate
interests OR
Consent
Legitimate
interests OR
Consent
n/a
80. 15 May 2018
How long does consent last?
PECR:
• consents for
the time being
GB Red Cross
Undertaking
• 2 years
ICO Direct Marketing
• “consent lasts as long as circumstances remain
the same, and will expire if there is a significant
change in circumstances.” para 63.
• “Even if consent is not explicitly withdrawn, it will
become harder to rely on as a genuine indication of
the person’s wishes as time passes.
• ‘for the time being’. We consider this implies a
period of continuity and stability, and that any
significant change in circumstances is likely to
mean that consent comes to an end.” para 99.
82. Common sense….?
15 May 2018www.protecture.org.uk
“Common sense is not so common”
Voltaire
83. 15 May 2018www.protecture.org.uk
• Transparency
• Accountability
• Fines
• Compensation
shall be responsible for
and
be able to demonstrate
compliance with
the principles
Greater emphasis
84. 15 May 2018www.protecture.org.uk
A) Accountability
Strategica
Operationalb
Tacticalc
Policy
Standard
Procedures How to achieve
it; steps to
follow
What needs to
be achieved
Risk appetite
and overall
accountability
DPO /
DP
Lead
Public
Regulators
Suppliers
Staff
ICO / Fundraising
Regulator / Charity
Commission
Protecture
Management and Delivery
of Key GDPR Requirements
86. 15 May 2018www.protecture.org.uk
Purpose
Lawful
basis
Transparency
How much to collect
Who needs to see it
Who to share it with
How long to keep it
Processing
activities
Extent to which
people can
use/enforce their
rights
Be fair – to inform
people
“… specified, explicit and legitimate purposes and not further
processed in a manner that is incompatible with those purposes…
A) Accountability Record of Processing
Activities (ROPA)
87. 15 May 2018www.protecture.org.uk
1. Fundraisers
2. Finance team / HR (incl. volunteers)
3. Support Hubs
4. Recreation Club (gym)
5. Massage therapy
6. Shops
Business Objectives / areas
Data Subject Categories
A. Employees / Volunteers
B. Donors (financial)
C. Service users
D. Customers
A) Accountability Record of Processing
Activities (ROPA)
88. 15 May 2018www.protecture.org.uk
1. Housing
2. Education
3. Justice
4. Health
5. Support & advice
6. Policy & research
7. Finance / HR
8. Fundraising
Business Objectives / areas
Data Subject Categories
A. Employees / Volunteers
B. Donors (financial)
C. Service users
A) Accountability Record of Processing
Activities (ROPA)
89. 15 May 2018
Compliance with Legal
Obligation
Required by UK or EU Law
A public task
Official functions/tasks in
public interest
Vital interests
Protect someone’s life
Contract with the individual
Supply what they want/steps
taken at their request before
entering into a contract
Consent
Legitimate interest*
Your needs unless outweighed
by the harm to the individuals
right's and interests
www.protecture.org.uk
91. 15 May 2018www.protecture.org.uk
Taking into account the:
state of the art
the costs of implementation
the nature, scope, context, purposes of processing
risk of varying likelihood
severity for the rights and freedoms of natural persons
…the controller and the processor shall implement appropriate technical and
organisational measures to ensure a level of security appropriate to the risk…
C) Security
92. 15 May 2018www.protecture.org.uk
In assessing the appropriate level of security
account shall be taken in particular of the risks that are
presented by processing, in particular from
accidental or unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to personal data
transmitted, stored or otherwise processed …
C) Security